JP2022180096A - NETWORK MONITORING DEVICE, NETWORK MONITORING SYSTEM, NETWORK MONITORING METHOD, AND PROGRAM - Google Patents

Abstract

Kind Code: A1 A network monitoring device, a network monitoring system, and a network monitoring device that contribute to processing notifications without omission without discarding trap signals due to an increase in the load on the monitoring device even if the amount of trap signals from network devices increases. Provision of methods and programs. A trap signal receiving unit for receiving a trap signal from a network device, a buffer unit for buffering the trap signal, a trap signal recording unit for recording the trap signal, and a and a trap signal output unit for outputting the trap signal to the trap signal recording unit. [Selection drawing] Fig. 1

Description

The present invention relates to a network monitoring device, a network monitoring system, a network monitoring method, and a program.

The number of devices connected to networks is increasing, and the amount of trap signals for monitoring sent to network monitoring devices is also increasing accordingly. As the amount of trap signals to be sent increases, the processing capacity of the network monitoring device may be exceeded. In that case, the trap signal may be discarded by the network monitoring device.

In Patent Document 1, a UDP (User Datagram Protocol) packet for transmitting a trap signal by SNMP (Simple Network Management Protocol), which is transmitted from a network device (agent) to a network monitoring device (manager), is duplicated. A communication system is disclosed that compares transmitted and received data. Specifically, one agent transmits a trap signal using two communication paths, and the manager receives this and stores it in two reception data storage queues. The trap signals stored in these two received data storage queues are compared. As a result, the trap information transmitted from the agent can be stored in the event storage area without excess or deficiency.

Patent Literature 2 discloses a monitoring system provided with a device dedicated to trap reception. The device has a sufficiently large storage area, and trap signals sent by each agent are first stored in the device and forwarded to the monitoring device. By receiving and storing the trap signal generated at the time of switching the duplex system, the loss of the trap signal during the system switching is prevented.

In Patent Document 3, when the number of received trap notification signals exceeds a predetermined threshold value within a predetermined period of time, a network device is instructed to stop trap notification, and the reception mode is changed from an event-driven trap notification mode. Network monitoring systems and the like are disclosed that can be changed to polling mode. This aims to avoid network congestion and increased load on the monitoring device when a large number of trap notifications occur in bursts.

JP 2006-180223 A JP 2007-018243 A JP 2013-009139 A

In addition, each disclosure of the above prior art documents is incorporated into this document by reference. The following analysis was made by the inventors.

The invention described in Patent Document 1 is effective when some UDP packets do not arrive due to network congestion, etc., but data is received from two paths, stored in a received data storage queue, and Since it is necessary to perform processing to compare the trap information in the received data, the load on the monitoring device increases more than usual, and as a result, there is a possibility that trap signals that cannot be processed are discarded by the network monitoring device. . In the invention described in Patent Document 2, it is possible to buffer trap signals with a sufficient storage area. can overflow storage and lose trap signals. In addition, in the invention described in Patent Document 3, when the mode is changed to polling mode, it is expected that network congestion and load increase of the monitoring device due to the establishment of many connections for polling are expected, and the UDP packet of the transmitted trap signal is lost. Also, there is concern about discarding packets that cannot be processed by the monitoring device.

Therefore, in the present invention, even if the amount of trap signals from network devices increases, trap signals will not be discarded due to an increase in the load on the monitoring device, and a network monitoring device and a network monitoring system will contribute to processing notifications without omission. , the main purpose of which is to provide a network monitoring method and program.

According to a first aspect of the present invention or disclosure, a trap signal receiving unit that receives a trap signal from a network device, a buffer unit that buffers the trap signal, and a trap signal recording unit that records the trap signal. and a trap signal output unit for outputting the trap signal buffered in the buffer unit to the trap signal recording unit.

According to a second aspect of the present invention or disclosure, a plurality of trap signal recording devices having a trap signal recording unit for recording trap signals, and receiving trap signals addressed to the plurality of trap signal recording devices from a network device. an aggregation buffer unit for buffering the aggregated trap signals; and an aggregate trap signal output unit for outputting the buffered trap signals to the plurality of trap signal recording devices. and a trap signal aggregator having a network monitoring system.

According to a third aspect of the present invention or disclosure, a step of receiving a trap signal from a network device, a step of buffering the trap signal, and outputting the trap signal buffered in the buffer unit and recording the output trap signal.

According to a fourth aspect of the present invention or disclosure, a process of receiving a trap signal from a network device, a process of buffering the trap signal, and outputting the trap signal buffered in the buffer unit A program is provided that causes a computer to execute the process and the process of recording the output trap signal.
This program can be recorded in a computer-readable storage medium. The storage medium can be non-transient such as semiconductor memory, hard disk, magnetic recording medium, optical recording medium, and the like. The invention can also be embodied as a computer program product.

According to each aspect of the present invention and the disclosure, even if the amount of trap signals from network devices increases, the trap signals will not be discarded due to an increase in the load on the monitoring device, and network monitoring will contribute to processing notifications without omission. An apparatus, network monitoring system, network monitoring method and program are provided.

1 is a diagram for explaining an overview of an embodiment; FIG. 1 is a diagram showing an outline of a network monitoring device according to a first embodiment; FIG. 1 is a diagram illustrating an example of a schematic configuration of a network monitoring device according to a first embodiment; FIG. 4 is a flow chart showing an example of the operation of the network monitoring device according to the first embodiment; 2 is a schematic diagram showing the hardware configuration of a network monitoring device; FIG. FIG. 10 is a diagram illustrating an example of a schematic configuration of a network monitoring device according to a second embodiment; FIG. FIG. 11 is a diagram showing an example of a schematic configuration of a network monitoring system according to a third embodiment; FIG.

First, an overview of one embodiment will be described. It should be noted that the drawing reference numerals added to this outline are added to each element for convenience as an example to aid understanding, and the description of this outline does not intend any limitation. Also, connecting lines between blocks in each figure include both bi-directional and uni-directional. The unidirectional arrows schematically show the flow of main signals (data) and do not exclude bidirectionality. Furthermore, in the circuit diagrams, block diagrams, internal configuration diagrams, connection diagrams, etc. disclosed in the present application, an input port and an output port exist at the input end and the output end of each connection line, respectively, although not explicitly shown. The input/output interface is the same.

A network monitoring device 10 according to one embodiment has a trap signal receiving section 11, a buffer section 12, a trap signal recording section 13, and a trap signal output section 14 (see FIG. 1).

The trap signal receiver 11 receives trap signals from network devices. A buffer unit 12 buffers the trap signal. The trap signal recording unit 13 records the trap signal. The trap signal output section 14 outputs the trap signal buffered in the buffer section 12 to the trap signal recording section 13 .

The network monitoring device 10 receives trap signals from network devices and buffers the trap signals. The buffered trap signal is extracted from a buffering queue or the like, and information related to the trap signal is recorded in a file or the like.

In this way, the received trap signal is not transferred directly to the trap signal recording unit 13 and recorded in a file or the like, but is once buffered and taken out so that the trap signal is recorded when the trap signal occurs frequently. It is possible to prevent trap signals from being discarded and missing in the middle of a series of trap signal processing due to an increase in the processing load, which causes an increase in the load on the network monitoring device 10 itself.

Specific embodiments will be described in more detail below with reference to the drawings. In addition, the same code|symbol is attached|subjected to the same component in each embodiment, and the description is abbreviate|omitted.

[First embodiment]
The first embodiment will be described in more detail with reference to the drawings.

FIG. 2 is a diagram showing an outline of a network monitoring device according to the first embodiment. Referring to FIG. 2, first, an SNMP (Simple Network Management Protocol) trap signal from a device connected to a network reaches a module that performs trap signal reception processing. Received trap signals are stored in a storage buffer. The buffer can store n trap signals.

The stored trap signal is retrieved from the storage buffer by the trap signal retrieval processing module and passed to a module that processes the trap signal, such as snmptrapd, which is a daemon program in standby mode. The trap signal retrieval processing module is under control of the decision processing module. The judgment processing module monitors the trap signal reception processing module. For example, until the arrival of 500 trap signals per second, the incoming trap signals are stored in the storage buffer, immediately retrieved by the trap signal retrieval processing module, and snmptrapd. etc.

However, for example, when 500 or more trap signals arrive per second, if the trap signals are passed to snmptrapd etc. immediately, there is a possibility that the processing capacity of snmptrapd etc. will be exceeded. Therefore, the trap signal stored in the storage buffer is retrieved by the trap signal retrieval processing module after waiting for Tmsec. This allows trap signals to be processed by snmptrapd or the like without exceeding the processing capability of snmptrapd or the like.

As described above, the network monitoring apparatus according to the first embodiment makes it possible to prevent an excess of the processing capacity of a processing module such as snmptrapd by causing an incoming trap signal to wait in a buffer. As a result, it is possible to prevent the state information of the network device from being lost due to the discarding of the trap signal in the processing module such as snmptrapd.

FIG. 3 is a diagram illustrating an example of a schematic configuration of a network monitoring device according to the first embodiment; Referring to FIG. 3 , the network monitoring device 10 has a trap signal receiving section 11 , a buffer section 12 , a trap signal recording section 13 , a trap signal output section 14 and a judgment section 15 . Note that FIG. 3 is an example and is not intended to limit the configuration of the system.

A trap signal receiving unit 11 receives a trap signal from a network device. Specifically, a trap signal issued by a router, switch, server, or the like connected to the network is received via the network. A “trap signal” is information sent from the network device to the network monitoring device 10 upon detection of a transition of the network device to a predetermined state. In a network using snmp, an snmp agent in a network device sends an snmp trap signal to the network monitoring device 10, which is an snmp manager, when an event determined by settings occurs. The received trap signal is sent to the buffer section 12 . The trap signal receiving unit 11 is composed of a network interface, a module for receiving and processing IP packets, and the like.

The buffer unit 12 has a function of buffering the trap signal. "Buffering" refers to temporarily storing and holding trap signals in storage. The buffers are typically arranged in an array and are capable of storing multiple trap signals. The array may form a FIFO (First In First Out) queue or may form a LIFO (Last In First Out) stack. The buffer unit 12 is realized by, for example, securing a partial area on a memory such as a RAM (Random Access Memory).

The trap signal recording unit 13 records the trap signal. Specifically, the trap signal output unit 14, which will be described later, receives the trap signal extracted from the buffer unit 12 and output to the trap signal recording unit 13 as an input, and writes the information contained in the trap signal to a log file or the like. For example, for snmp, snmptrapd will do this. "Recording" refers to outputting information contained in a trap signal to a log file, spool file, or the like. The trap signal recording unit 13 is composed of a storage medium such as a RAM or HDD (Hard Disk Drive), a program module for executing recording, and the like. Note that the trap signal recording unit 13 may be arranged on a server separate from the network monitoring device.

The trap signal output section 14 outputs the trap signal buffered in the buffer section 12 to the trap signal recording section 13 . “Output” refers to a process of transferring a buffered trap signal from a storage area storing the trap signal to a program module or the like constituting the trap signal recording unit 13 .

The trap signal output unit 14 outputs the trap signal buffered in the buffer unit 12 to the trap signal recording unit 13 based on the determination result of the determination unit 15, which will be described later. “Based on the result of determination” refers to receiving the result of determination by the determination unit 15 and selecting and executing predetermined processing according to the result of determination. The details of the "processing according to the determination result" will be described later. The trap signal output unit is composed of a program module or the like for acquiring the determination result and outputting the trap signal.

The determination unit 15 determines whether or not the number of arrivals of trap signals per predetermined time exceeds a predetermined value. Specifically, it is determined whether or not the number of arrivals of trap signals per predetermined time exceeds a predetermined value at which the trap signal recording unit 13 can record trap signals in a predetermined time. As a result of the judgment, "processing according to the judgment result" is performed. Until the number of arrivals exceeds a predetermined value, the trap signal output section 14 is controlled to immediately output the trap signal stored in the buffer section 12 to the trap signal recording section 13 . On the other hand, when the predetermined value is exceeded, the trap signal output unit 14 is controlled to output the trap signal to the trap signal recording unit 13 after waiting for a predetermined time. The determination unit 15 is composed of a program module or the like including a calculation process for comparing the number of arrivals of traps per unit time with a predetermined value.

[Process flow]
FIG. 4 is a flow chart for explaining the operation of the network monitoring device 10 according to the first embodiment. It is a flow of a series of processing from receiving one trap signal to recording it.

When the network monitor 10 starts operating, the trap signal receiver 11 waits for a trap signal (step S11). When the trap signal receiver 11 receives the trap signal (step S11), the buffer 12 stores the received trap signal in the buffer (step S12).

When the trap signal is stored in the buffer, the determination unit 15 performs determination processing as to whether or not the number of arrivals of the trap signal exceeds a predetermined value (step S13). As a result of the judgment processing, if the judgment result (Y) is that the number of the trap signal is exceeded, after waiting for a predetermined time (step S14), the trap signal output section 14 outputs the trap signal buffered in the buffer section. It is extracted and output to the trap signal recording unit 13 (step S15). On the other hand, if the determination result (N) is that the limit is not exceeded, a trap signal is immediately output without waiting (step S15). The output trap signal is recorded by the trap signal recording unit 13 (step S16), and the process ends.

[Hardware configuration]
The network monitoring device 10 can be configured by an information processing device (computer), and has the configuration illustrated in FIG. For example, the network monitoring device 10 includes a CPU (Central Processing Unit) 101, a memory 102, an input/output interface 103, a communication means such as a NIC (Network Interface Card) 104, etc., which are interconnected by an internal bus 105. FIG.

However, the configuration shown in FIG. 5 is not meant to limit the hardware configuration of the network monitoring device 10. FIG. The network monitoring device 10 may include hardware (not shown) and may not have the input/output interface 103 as necessary. Also, the number of CPUs included in the network monitoring device 10 is not limited to the example shown in FIG.

The memory 102 is a RAM (Random Access Memory), a ROM (Read Only Memory), an auxiliary storage device (such as a hard disk).

The input/output interface 103 is a means that serves as an interface for a display device and an input device (not shown). The display device is, for example, a liquid crystal display. The input device is, for example, a device such as a keyboard or mouse that receives user operations.

The network monitoring device 10 includes a trap signal reception program, a buffering program, a judgment program, a trap signal output program, and a trap signal recording program, which are processing modules. The processing module is implemented, for example, by CPU 101 executing a trap signal reception program stored in memory 102 . Also, the program can be downloaded via a network or updated using a storage medium storing the program. Furthermore, the processing module may be realized by a semiconductor chip. In other words, it is sufficient if there is means for executing the functions performed by the processing module by some kind of hardware and/or software.

[Hardware operation]
When the network monitoring device 10 starts to operate, the trap signal reception program is read from the memory 102 and executed by the CPU 101 . The program receives trap signal data from the monitored network device via the input/output interface 103 . The received trap signal data is passed to the buffering program.

The buffering program receives trap signal data from the trap signal reception program and stores it in a buffer area secured in memory 102 .

In parallel with the above, the determination program counts the trap signal data received by the trap signal reception program, and calculates the number of arrivals of the trap signal per predetermined time. The determination program calls a predetermined value stored in advance in the memory 102 and compares it with the calculated number of arrivals of trap signals. As a result, if the number of arrivals is greater than a predetermined value, a signal is sent to the trap signal output program to wait. Conversely, if it is greater than the predetermined value, it sends a signal not to wait.

The trap signal output program reads from the memory 102 a value indicating a predetermined waiting time when the program is activated. When the trap signal output program receives the above signal to wait, it waits for the trap signal data stored in the buffer area for a predetermined time until it receives the next signal not to wait, and then outputs it to the trap signal recording program. do. Further, when the trap signal output program receives the above-mentioned signal not to wait, it immediately outputs the trap signal data stored in the buffer area to the trap signal recording program until it receives the next signal to wait. .

The trap signal recording program receives the trap signal data output from the trap signal output program, and performs processing such as passing it to a log file, spool file, or other program.

[Explanation of effect]
The network monitoring device of this embodiment can wait in the buffer area for a predetermined time when the number of trap signals arriving within a predetermined time exceeds a predetermined value. As a result, it is possible not to exceed the processing capacity of the module that executes processing such as trap signal recording. Therefore, it is possible to prevent trap signals from being discarded due to excessive processing capacity, and to acquire the state information of the network devices without omission.

[Second embodiment]
FIG. 6 is a diagram showing an example of a schematic configuration of a network monitoring device according to the second embodiment. Referring to FIG. 6 , the network monitoring device 10 has a trap signal receiving section 11 , a buffer section 12 , a trap signal recording section 13 , a trap signal output section 14 and a judgment section 15 . Since these constituent requirements have already been explained above, their description is omitted. A feature of the network monitoring apparatus according to the second embodiment is that it further includes a determination unit 16 . It should be noted that FIG. 6 is an example and is not meant to limit the configuration of the system.

The determination unit 16 determines a predetermined value used in the determination unit 15 based on the number of arrivals of trap signals per predetermined time and the number of trap signals recorded in the trap signal recording unit 13 per predetermined time. For example, if the trap signal recording unit 13 can complete recording in 0.002 sec upon receiving one trap signal input, it has a processing capacity of 500 cases in 1 sec. Then, the trap signal recording unit 13 can perform processing without the possibility of discarding the trap signal if the number of arrivals of the trap signal per predetermined time is up to 500. Incidentally, it is of course possible to set the actual predetermined value to 300 or the like with a margin, taking various influences into account. The determination unit 16 is composed of a program module or the like having a timer or the like for measuring time and a counter for counting the number of arrivals of trap signals per predetermined time in the trap signal receiving unit 11 .

Furthermore, the determination unit 16 can adjust the predetermined value set as the default value. Specifically, when the number of arrivals of the trap signal per predetermined time is compared with the actual number of recordings of the trap signal recording unit 13 per predetermined time, and the actual number of recordings is less than the number of arrivals. , to decrease the predetermined value used in the determination unit. If the number of records is less than the number of arrivals of trap signals, it means that there is a lack of trap signals. It is possible to prevent the loss of information due to subsequent discarding of the trap signal or the like by causing the signal to wait.

Further, the determination unit 16 causes the trap signal output unit 14 to wait for the trap signal for a predetermined time based on the number of arrivals of the trap signal per predetermined time and the number of records of the trap signal recording unit 13 per the predetermined time. may be determined. For example, if the trap signal recording unit 13 can complete recording in 0.002 sec upon receiving one trap signal input, the trap signal recording unit 13 has a processing capacity of 500 cases per sec. Here, the predetermined value of the number of arrivals of trap signals per unit time used by the determination unit 15 is set to 300. FIG. Then, the waiting time of the trap signal is obtained by the formula for calculating the queue waiting time T _w (T _w =(ρ/1−ρ)×T _s ). where ρ is (predetermined number of arrivals per second)/(processing capacity per second), and _Ts is the processing time per trap signal of the trap signal recording section 13 . When the waiting time is calculated by the above formula, it is 0.003 sec, and it is preferable to set the waiting time to at least 0.003 sec. In addition, since the number of trap signals in the waiting state at this time is 1.5 (ρ/1−ρ), it is theoretically considered that at least two buffer areas are required in the buffer section 12 .

[Explanation of effect]
The network monitoring device 10 of the present embodiment includes the determination unit 16 to determine a predetermined value used by the determination unit 15 and a predetermined time for waiting for a trap signal in the trap signal output unit 14. It is possible. Furthermore, it is possible to adjust the predetermined value used by the determination unit 15 set as a default value. As a result, it is possible to determine a set value in accordance with the processing capacity of the trap signal recording unit 13, thereby preventing trap signals from being discarded due to the number of arrivals of trap signals per predetermined time exceeding the processing capacity. can be prevented.

[Third embodiment]
FIG. 7 is a diagram showing an overview of a network monitoring system according to the third embodiment. Referring to FIG. 7, a plurality of trap signal recording devices 21 to 2n are connected to the trap signal aggregation device 10'. As described above, the network monitoring system of this embodiment has a configuration in which the trap signal aggregation device 10' serves a plurality of trap signal recording devices 21 to 2n. The trap signal aggregation device 10' has a trap signal reception aggregation section 11', an aggregation buffer section 12', and an aggregation trap signal output section 14'. Each of the trap signal recording devices 21 to 2n has a trap signal recording section 13. FIG. The trap signal aggregation device 10' may have a determination unit 15' and a determination unit 16 (not shown).

The trap signal recording unit 13 records trap signals in the same manner as described above. A trap signal receiving and aggregating unit 11' receives and aggregating trap signals addressed to the plurality of trap signal recording devices from network devices. The aggregation buffer unit 12' buffers the aggregated trap signals. The aggregated trap signal output unit 14' outputs the buffered trap signals to the plurality of trap signal recording devices.

The difference between the components of the network monitoring device 10 in the first embodiment and the network monitoring system of the present embodiment is that the trap sent to the trap signal recording unit 13 constituting the plurality of trap signal recording devices 21 to 2n is The point is that the trap signal aggregator 10' buffers the signals intensively and outputs the trap signal.

With SNMP or the like, it is possible to define a different community for each monitoring target, and distribute and manage a large number of existing network devices using a plurality of network monitoring devices. On the other hand, in a configuration in which a network monitoring device is arranged for each community, it takes time and effort to change the settings when the community to which the network device or the like belongs is changed. Further, when one network device belongs to a plurality of communities, that is, when a plurality of trap signal recording devices are jointly monitored, a plurality of networks are connected to a single trap signal recording device (corresponding to snmptrapd, etc.). Trap signals will arrive from the monitoring device, and in some cases, trap signals exceeding the processing capacity may be sent to one trap signal recording device, and trap signals may be discarded. .

The difference between the trap signal reception aggregation unit 11′ and the trap signal reception unit 11 described above is that the trap signal reception aggregation unit 11′ aggregates and receives trap signals directed to a plurality of trap signal recording units 13. be.

The difference between the aggregation buffer section 12 ′ and the buffer section 12 is that the aggregation buffer section 12 ′ stores trap signals directed to a plurality of trap signal recording sections 13 . In the aggregation buffer section 12', the buffer area may be divided and secured for each of a plurality of trap signal recording sections 13 (a plurality of trap signal recording devices).

The difference between the aggregate trap signal output section 14 ′ and the trap signal output section 14 is that the aggregate trap signal output section 14 ′ outputs trap signals to a plurality of trap signal recording sections 13 .

The difference between the determination unit 15' and the determination unit 15 is that the determination unit 15' determines that the number of arrivals of trap signals addressed to a plurality of trap signal recording units 13 (a plurality of trap signal recording devices) per predetermined time does not exceed a predetermined value. It is a point to judge whether or not it is exceeded. The determination unit 15 ′ may determine whether the number of arrivals exceeds a predetermined value for each of the plurality of trap signal recording units 13 (plurality of trap signal recording devices).

Note that the trap signal aggregation device 10' may have a determination unit (not shown). The determination unit may determine a predetermined value of the number of arrivals of trap signals per predetermined time period and a predetermined time period for buffering the trap signals for each of the plurality of trap signal recording devices.

The processing flow, hardware configuration, and operation of the network monitoring system of this embodiment are basically the same as those of the first embodiment. Therefore, the description is omitted.

[Explanation of effect]
In the network monitoring system of this embodiment, trap signals from network devices to be monitored can be aggregated and trap signals can be output for each of a plurality of trap signal recording devices. As a result, the trap signal exceeding the processing capacity is not transmitted to each trap signal recording device, so that the trap signal is not discarded.

Some or all of the above embodiments may also be described as follows, but are not limited to the following.
[Mode 1]
This is the network monitoring device according to the first aspect described above.
[Mode 2]
The trap signal output unit further includes a determination unit that determines whether the number of arrivals of the trap signal per predetermined time exceeds a predetermined value, and the trap signal output unit outputs the buffer based on the determination result of the determination unit. Preferably, the network monitoring device according to form 1, which outputs the trap signal buffered in the unit to the trap signal recording unit.
[Form 3]
The trap signal output unit waits the trap signal buffered in the buffer unit for a predetermined time when the determination result of the determination unit indicates that the predetermined value is exceeded. A network monitoring device, preferably of form 2, with post-output.
[Mode 4]
Preferably, the method further comprises a determination unit that determines the predetermined value used in the determination unit based on the number of arrivals of the trap signal per predetermined time and the number of records of the trap signal recording unit per predetermined time. is a network monitoring device of form 2 or 3;
[Mode 5]
The determination unit has the trap signal output unit buffered in the buffer unit based on the number of arrivals of the trap signal per predetermined time and the number of records per predetermined time of the trap signal recording unit. determining a predetermined amount of time to wait for the trap signal;
Preferably, the network monitoring device of form 4.
[Mode 6]
The determining unit compares the number of arrivals of the trap signal per predetermined time with the number of recordings of the trap signal recording unit per the predetermined time, and determines when the number of recordings is less than the number of arrivals. 6. A network monitoring device, preferably according to form 4 or 5, which reduces said predetermined value used in part.
[Mode 7]
This is the network monitoring system according to the second aspect described above.
[Mode 8]
The trap signal aggregating device further has a determination unit that determines whether the number of arrivals of the trap signals per predetermined time period exceeds a predetermined value, and the aggregated trap signal output unit outputting the trap signal buffered in the aggregation buffer unit to the plurality of trap signal recording devices according to the judgment result;
Network monitoring system, preferably of form 7.
[Mode 9]
This is the network monitoring method according to the third aspect described above.
[Form 10]
This is the same as the program related to the fourth viewpoint mentioned above.
It should be noted that the 9th and 10th forms can be developed into the 2nd to 6th forms in the same way as the 1st form.

The disclosures of the cited patent documents and the like are incorporated herein by reference. Within the framework of the full disclosure of the present invention (including the scope of claims), modifications and adjustments of the embodiments and examples are possible based on the basic technical concept thereof. Also, various combinations or selections of various disclosure elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) within the framework of the full disclosure of the present invention (including partial deletion) is possible. That is, the present invention naturally includes various variations and modifications that can be made by those skilled in the art according to the entire disclosure including claims and technical ideas. In particular, any numerical range recited herein should be construed as specifically recited for any numerical value or subrange within that range, even if not otherwise stated.

10 network monitoring device 10' trap signal aggregation device 11 trap signal reception unit 11' trap signal reception aggregation unit 12 buffer unit 12' aggregation buffer unit 13 trap signal recording unit 14 trap signal output unit 14' aggregation trap signal output units 15, 15 ' decision unit 16 decision units 21 to 2n trap signal recording device 101 CPU (Central Processing Unit)
102 memory 103 input/output interface 104 NIC (Network Interface Card)
105 internal bus

Claims (10)

a trap signal receiver that receives a trap signal from a network device;
a buffer unit that buffers the trap signal;
a trap signal recording unit that records the trap signal;
a trap signal output unit that outputs the trap signal buffered in the buffer unit to the trap signal recording unit;
network monitoring device. further comprising a determination unit that determines whether the number of arrivals of the trap signal per predetermined time period exceeds a predetermined value;
The trap signal output unit outputs the trap signal buffered in the buffer unit to the trap signal recording unit based on the determination result of the determination unit.
The network monitoring device according to claim 1. The trap signal output unit waits the trap signal buffered in the buffer unit for a predetermined time when the determination result of the determination unit indicates that the predetermined value is exceeded. 3. The network monitoring device of claim 2, post-output. a determination unit that determines the predetermined value used in the determination unit based on the number of arrivals of the trap signal per predetermined time and the number of recordings of the trap signal recording unit per predetermined time;
4. The network monitoring device according to claim 2 or 3, further comprising: The determination unit has the trap signal output unit buffered in the buffer unit based on the number of arrivals of the trap signal per predetermined time and the number of records per predetermined time of the trap signal recording unit. determining a predetermined amount of time to wait for the trap signal;
5. The network monitoring device according to claim 4. The determining unit compares the number of arrivals of the trap signal per predetermined time with the number of recordings of the trap signal recording unit per the predetermined time, and determines when the number of recordings is less than the number of arrivals. reducing the predetermined value used in
6. A network monitoring device according to claim 4 or 5. a plurality of trap signal recording devices having trap signal recording units for recording trap signals;
a trap signal receiving and aggregating unit for receiving and aggregating trap signals addressed to the plurality of trap signal recording devices from network devices;
an aggregation buffer unit that buffers the aggregated trap signal;
an aggregate trap signal output unit that outputs the buffered trap signals to the plurality of trap signal recording devices;
a trap signal aggregator having
A network monitoring system consisting of: The trap signal aggregator is
further comprising a determination unit that determines whether the number of arrivals of the trap signal per predetermined time period exceeds a predetermined value;
The aggregated trap signal output unit outputs the trap signals buffered in the aggregated buffer unit to the plurality of trap signal recording devices according to the judgment result of the judgment unit.
A network monitoring system according to claim 7. receiving a trap signal from a network device;
buffering the trap signal;
outputting the trap signal buffered in a buffer;
recording the output trap signal;
A network monitoring method comprising: a process of receiving a trap signal from a network device;
a process of buffering the trap signal;
a process of outputting the trap signal buffered in a buffer;
a process of recording the output trap signal;
A program that makes a computer run

Images